> Well, I think that regardless of what schannel ends up using, wininet
> and winhttp should be implemented on top schannel in the long term,
> instead of using OpenSSL directly. I don't think GnuTLS is really the
Well, that's certainly true, as there are features of at least wininet
that can't be implemented as long as OpenSSL is using a file
descriptor directly. I don't have enough confidence in schannel's
current implementation to start that, though.
> problem though, or that the existing schannel code is particularly
> badly implemented. It seems to me that it's more a case of the
> schannel / secur32 API being somewhat unclear, even to the
> applications actually using it. Tests would certainly help there, but
Perhaps. Tests would help convince me.
> what IMO complicates writing them is that only the client part of
> schannel is currently implemented.
That might be true for writing tests against Wine's implementation,
but there's nothing to stop them from being skipped if a server
implementation isn't available. In general, I write tests against
Windows first. How is this case different? Furthermore, adding a
server implementation to schannel isn't likely to be that complex, as
GnuTLS does support server-side connections as well, so if that's
what's holding back tests, it shouldn't be.
> Not really. IMO it's just a case of neglect.
Agreed that it is neglected. Without tests, I'm nervous to take on
ownership of it. There have been a few half-hearted attempts to work
in this area, but I haven't seen much contribution from people willing
to maintain the code over the long term.
I may be flogging a dead horse here, but I personally am loath to see
another implementation creep in, side by side with the existing one,
that has no guarantee of working any better. I don't see how this
helps CodeWeavers, either, other than reducing installation
complexity. If there are bugs in the new implementation, and I expect
there will be, you'll still have a large support load. Worse, even if
you succeed in fixing bugs for your Mac customers, the rest of us
don't benefit, as the current implementation still isn't getting any
support. If there are development resources available to work on
schannel, why not put them into something that benefits the project as
a whole?
--Juan